The 5 things we learned from Israel’s 2025 Cyber Report

Over 26,000 cyber incidents. A 55% surge in a single year. Israel’s latest national cyber report is striking, but the real story is not the numbers. It is what they tell us about where cyber risk is heading next.

According to Microsoft’s 2025 Digital Defense Report, Israel ranked as the third most attacked country in the world.
Around 64% of all Iranian state-sponsored cyber activity was directed at it. And yet its critical infrastructure held.
If you want to understand where cyber threats are heading and what effective defense looks like under real pressure, this is required reading. We also know that time is the one thing none of us have enough of. So, we went through it and distilled it into five clear takeaways.

Takeaway 1: The shift from cybersecurity to cyber readiness is no longer optional

The report recorded 26,498 cyber incidents in 2025, a 55% increase on the previous year. Phishing remained the dominant attack type, rising 35% year-on-year, and credential theft via infostealer malware emerged as one of the five primary breach vectors across all investigated incidents.

What those numbers reflect is not a sudden explosion of new techniques. They reflect the relentless, scaled execution of methods that continue to work because organizations are still not ready for them. Phishing targets people. Credential theft exploits habits. Neither requires the attacker to be particularly sophisticated. They require the defender to be unprepared.

This is why the conversation in security is shifting from cybersecurity to cyber readiness: the operational ability to detect, respond, and recover under real-world conditions.

Takeaway 2: Static training cannot keep pace with adaptive threats and AI is widening the gap

The report identifies AI-powered attacks as one of three defining trends of 2025. Attackers are using AI to generate phishing messages, social engineering scripts, and malware at a level of authenticity that makes them genuinely difficult to distinguish from legitimate communications.

The Directorate noted a further rise in targeted spear-phishing against senior figures in media, academia, defense, and government, campaigns that are personalized, contextually credible, and designed to bypass standard awareness training.
AI-generated attacks are dynamic. They adapt. They improve. And training programs that are updated once a year is not competing with that.

“Attackers are no longer breaking into systems. They are logging in — and AI is making the invitation harder to spot.”

The response must match the threat. AI-native training environments, platforms that generate evolving, realistic attack scenarios and adapt to user behavior. The organizations beginning to build continuous, simulation-based readiness programs now are not ahead of the curve. They are catching up to the threat that already exists.

Takeaway 3: Cyber threats have become socio-technical

One of the most significant findings in the report is a 170% surge in influence and intimidation incidents, attackers using compromised digital infrastructure not to steal data or disrupt operations, but to spread fear.
In each case, the objective was not operational. It was psychological.

Attackers are increasingly using cyber access as a tool for behavioral manipulation, to undermine trust, trigger panic, and destabilize decision-making at scale.
This is a meaningful evolution in how cyber capability is deployed, and it demands a corresponding evolution in how organizations think about risk.

Socio-technical threats require human-centric thinking alongside technical controls: understanding how a breach could be used to manipulate employees, customers, or the public, and preparing accordingly.

Takeaway 4: Speed and scale have permanently changed the attack surface

The report identifies five primary breach vectors responsible for many successful attacks in Israel in 2025. Alongside phishing and credential theft, two others stand out for what they reveal about scale: supply chain compromise and unpatched or misconfigured external-facing systems.
Supply chain attacks were responsible for some of the most damaging incidents in the report.
In both cases, the attack surface being exploited is not the organization itself, but everything connected to it.

The speed dimension matters just as much.
The report’s data on phishing incidents showed a six-fold increase in the volume of malicious links blocked compared to 2024.
31,657 attacks neutralized in 2025, compared to around just 4,500 the previous year.
Attackers are not just launching more campaigns. They are launching them faster, iterating in real time, and exploiting the gap between when a vulnerability is identified and when it is patched.

Organizations that are still thinking about their perimeter as where their own systems end could already be falling behind.

Takeaway 5: The shifting gap between knowing and acting

Perhaps the sharpest operational insight in the entire report is this: during 2025, the Israel National Cyber Directorate proactively contacted approximately 2,300 organizations that were showing indicators of an incoming attack, before any breach had occurred.

This represents a philosophical shift in how national cyber defense is being operationalized. The traditional model assumes the attacker has already made their move. The Israeli approach demonstrates something different: continuous intelligence, distributed in near real time, gives defenders the chance to act before the attack happens.

Most have detection capabilities. The gap here is between detection and execution, between knowing that a threat exists and having the trained, practiced ability to respond to it effectively under pressure.
Intelligence without operational readiness is a warning that no one is prepared to act on.

By year end, 80% of Israel’s critical national infrastructure had reached what the Directorate classifies as advanced defense maturity. That figure is the result of sustained investment in people, practiced response, and shared intelligence infrastructure.
It is not a technology story. It is a readiness story.

Where do we go from here?

Israel’s 2025 Cyber Report is not just a national threat summary.
It is a detailed record of what sustained cyber pressure looks like and what separates organizations that hold the line from those that don’t.
The attacks are scaling. AI is making social engineering faster and more convincing. The supply chain has become a primary vector. And the organizations best placed to weather this are not those with the most advanced tools. They are those that have closed the gap between awareness and action.

The report closes with a line from the head of the Directorate:

“We cannot choose when the next battle will begin. But we choose to be ready for it.”

That choice is available to every organization. The question is whether they are making it.